Adtech Phase 2: 


LÀ 
ICO. ico.org.uk 


What did we focus 
on and what did 
we do? 


Information Commissioner's Office 


Key areas of focus: 


e Processing of special category data 


e Data supply chain: security and 
contractual controls 


Actions: 


e Further information gathering exercises 


e Detailed engagement with key actors 
eg IAB, Google 


* Liaising with other DPAs 


e Further work on policy positions 
e Looking ahead to solutions/alternatives 


ico.org.uk 


Information Commissioner’s Office 


Update report 
into adtech and 
real time bidding 


20 June 2019 


ico: 


A reminder... 


e Lawful basis and transparency 

e Processing of special category data 

e LI tests and safeguards 

e Risk assessments and DPIAs 

« Complex & unclear privacy information 
« Disproportionate sharing of information 
« Data supply chain - contractual controls 
« Data minimisation and retention 

e Security guarantees 


Special categories of data (SCD) 


Article 9(1) GDPR 


Personal data revealing: 

° racial or ethnic origin; 

e political opinions; 

* religious or philosophical beliefs; 
e trade union membership 


Processing of: 

° genetic data; 

* biometric data for the purposes of uniquely 
identifying a natural person; 

e data concerning health; 


e data concerning a natural person's sex life or 
sexual orientation 
ico.org.uk 


1. Confirmed: some direct 
processing of SCD, without 
explicit consent 


2. Confirmed: processing of SCD by 
inference 


3. Established: general reliance on 
contracts to limit SCD processing 


BUT: Widespread agreement on SCD 
among industry 


Information Commissioner's Office 


Data supply chain: security, contractual 


controls 


4. Confirmed: over-reliance on 
contracts as 'guarantees' of security 


5. Confirmed: inconsistent 
contractual arrangements / terms 


6. Confirmed: lack of clarity over 
controller/processor (and joint 
controller) arrangements 


7. Confirmed: lack of specific details 
on security measures 


ico. 


Information Commissioner Office 


Transparency, lawful basis and risk 


assessments 


8. Confirmed: inadequate and (in 
some cases) inaccurate 
transparency information 


9. Confirmed: Privacy policies lack 
clarity and information provided 
is conflicting 


10.Confirmed: Unclear how to 
withdraw consent 


11.Confirmed: Poor standard of 
legitimate interests assessments 


Information Commissioner's Office 


12. Confirmed: |nadequate and 
inconsistent DPI As 


Established: 


- Need to do DPIAs not generally identified 
- Processing descriptions not systematic 


- Little evidence of internal/external 
consultation 


- Inadequate necessity and proportionality 
assessments 


- Inadequate assessment of risks to 
individual rights 


Information Commissioner's Office 


Additional 


Data retention: 


e Retention of personal data from bid 
requests and responses without 
justification 


e Lack of appreciation of retention 
requirements 


e Lack of consistent or standardised 
retention periods 


e Large volumes of personal data retained 
for no good reason 


Information Commissioner's Office 


What happens next? 
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Keep in touch 


w f You ` Linkedin 


@Il COnews 


ico. ico.org.uk 


Information Commissioner's Office 


